Compliance Checklist For Automated Decision-Making Under GDPR

Automated Decision-Making is gaining an elevated degree of importance in a world that’s adopting artificial intelligence (AI) at every significant applicable opportunity. The combination of sophisticated algorithms and models promises a significant improvement in overall business productivity, performance, and efficiency. However, these also present tremendous challenges to consumers' privacy and autonomy.

The General Data Protection Regulation (GDPR) presents a reasonably nuanced approach to automated decision-making. While it acknowledges the efficiency such technologies can bring, it places an extensive degree of importance on appropriate mechanisms that ensure these technologies do not operate unchecked and unchallenged.

Most importantly, it puts user consent on the precipice, making it the definitive requirement for any organization hoping to leverage such technologies.

Best Practices Checklist For Compliance

Consent Above All

Consent is a vital cornerstone of GDPR compliance. Within the automated decision-making context, it takes on an even greater importance as an organization may only proceed with it if it has the explicit consent of the data subject, is authorized by the Union or Member state law, or is necessary for the completion of a contractual agreement between the data subject and the organization collecting the data.

According to the EDPB Guidelines on Consent, the term 'explicit consent' refers to the manner in which the data subject indicates their consent, necessitating an express statement of consent. This could be achieved by explicitly confirming consent through a written statement. In digital or online settings, explicit consent can also be obtained through actions such as completing an electronic form, sending an email, submitting a scanned document bearing the data subject's signature, employing an electronic signature, or a two-step verification procedure.

The organization collecting the data has the onus of ensuring that the data subjects have appropriate information and knowledge of the consequences of their consent to automated decision-making.

A Dynamic Privacy Notice

Just as technology is evolving, so are customer expectations. Modern customers are more informed and vigilant about what data websites collect and how they use it. Additionally, most data privacy laws, including the GDPR, require the organization collecting the data to appropriately educate all visitors to its website about its data collection practices, especially aspects surrounding automated decision-making.

Data controllers must inform the data subjects about automated decision-making involving their data, including profiling, with legal or similarly significant effects. Such notices must contain meaningful information about the logic involved, as well as the significance, and at least when based on profiling, the potential consequences of the processing for the data subject, as well as what rights individuals have when it comes to opting out of such profiling. Moreover, the data subject must also be informed about the factors considered in the decision-making process and their ‘weight’ on an aggregate level.

Data subjects must also be informed of how they can request human intervention, express their point of view, and contest the decision.

Appropriate Data Security Measures

In cases where automated decision-making (with legal or similarly significant effects) is necessary for entering into or the performance of a contract between the data subject and a data controller or is based on the data subject’s explicit consent, the GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, express their viewpoint, and obtain an explanation of the decision reached after such assessment and contest the decision.

Further, organizations are recommended to employ the following measures:

• Deployment of appropriate mathematical or statistical profiling methods;
• Deployment of appropriate technical and organizational measures to correct inaccuracies, minimize errors, and mitigate risks to data subjects' interests and rights, and prevent discriminatory effects based on their sensitive data such as race, ethnicity, health status, etc;
• When extending options for human review, such reviews must be carried out by someone with the appropriate authority and capability to change the decision;
• The human reviewer should undertake a thorough assessment of all the relevant data, including any additional information provided by the data subject.

Seamless DSR Fulfillment

The GDPR grants individuals specific data subject rights related to automated decision-making, including profiling. These include the right to access, object, rectification, erasure, and restriction of processing.

To that end, organizations must ensure they have a seamless mechanism in place that allows individuals to initiate DSR requests. The process involved in making such a request should be fairly streamlined and easy enough for an individual to exercise their rights as guaranteed by the GDPR. Doing so can positively contribute to reinforcing individuals' trust in an organization's ability to take their concerns and grievances seriously.

Dealing with Sensitive Personal Data

Automated decision-making (with legal or similarly significant effects) that involves sensitive personal data is only allowed if suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place and one of the following grounds is applicable:

1. Processing of personal data is based on explicit consent of the data subject for one or more specific purposes, except where expressly authorized by EU or member state law; or
2. Processing of personal data is necessary for reasons of substantial public interest, either based on EU or member state law. It must be proportionate to the aim pursued, respecting data protection rights, and include measures to safeguard the fundamental rights and interests of the data subject.

Regular DPIAs

Organizations must be thorough and diligent when conducting their Data Protection Impact Assessments (DPIAs). These assessments are vital for proactively identifying and mitigating the risks associated with data processing activities, especially when a systematic and extensive evaluation of personal aspects relating to natural persons based on automated decision-making, including profiling, is conducted.

Regular DPIAs can help organizations conduct a longitudinal assessment of their data processing activities and their potential impact on individuals’ privacy rights. Moreover, such assessments can help inform the adoption and implementation of appropriate data protection measures appropriate to the identified risks.

Appropriate Data Protection Principles

For organizations subject to GDPR, adherence to its data protection principles is non-negotiable. This includes placing lawfulness, fairness, and transparency at the center of their data processing activities. In the context of automated decision-making, organizations must ensure they deploy appropriate mechanisms for profiling along with the necessary measures to help them proactively address any inaccuracies, errors, and other threats to individuals’ rights.

Additional principles that must be equally adhered to include data accuracy, data minimization, and storage and purpose limitation to ensure that any data collected is accurate and only collected and stored to the extent necessary for the purpose disclosed to the individual.

Additional Safeguards for Children & Employment Context

Organizations must be extra careful and considerate when automated decision-making involves children or occurs within an employment context.

As a general rule, children should not be subjected to solely automated decision-making. However, where it becomes necessary (i.e., For their welfare), the organization processing such data must have the appropriate mechanisms in place that ensure necessary consent is obtained from a parent or guardian along with additional safeguards that appropriately protect children's rights, freedom, and legitimate interests including the right to obtain human intervention, express their viewpoint, and obtain an explanation of the decision and contest it. Additionally, codes of conduct that incorporate such safeguards and depict how consent can be obtained from holders of parental responsibility over children should be followed.

In the employment context, organizations must appropriately weigh the power dynamics involved. As a result, consent may only be used as a legal basis when the employees won't have to deal with any adverse consequences if they choose not to consent to automatic decision-making. Any consent sought and gained in this context should be genuinely free and not coercive.

Ideally, organizations should rely on the other two grounds for automated decision-making  (performance of a contract or if explicit authorization has been provided by union/member state law). However, where consent is used for automated decision-making, employers must offer alternatives if employees request human involvement and refuse consent. Such refusal should not disadvantage the employees.

Appointing a Data Protection Officer

The GDPR mandates that data controllers appoint a data protection officer (DPO) as a measure of accountability when profiling and/or automated decision-making are fundamental activities of the controller and involve continuous and extensive monitoring of data subjects.

How Securiti Can Help

For organizations aiming to navigate the complexities of automated decision-making under the GDPR safely, principles of transparency and trust must be at the forefront of the overall compliance process. The most effective way to implement these principles is to opt for automated solutions that enable granular insights and an overarching dashboard that allows for immediate interventions whenever necessary.

Securiti’s Data Command Center is a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

With this Data Command Center, organizations gain access to vital individual modules and solutions that can enable seamless compliance with the relevant obligations. DSR automation, universal consent, and privacy policy management solutions are just a few examples. Leveraged properly, these allow for effective and efficient compliance with the appropriate regulatory requirements placed on organizations.

Request a demo today and learn more about how Securiti can help you comply with the obligations placed on your organization by the GDPR, as well as other major data privacy and protection laws globally.

Frequently Asked Questions (FAQs)

Some of the most commonly asked questions are as follows: